In a typical enterprise network installation user access can be managed to three or more separate networks. For example, an intranet can be used to refer to the entity's internal network typically only accessible to employees or contractors with employee-like access. Enterprise installations can also provide user access to the Internet to allow for research and exchange of information with other users around the world. Finally, an enterprise installation can have one or more extranets where the entity and its business partners can share information in a more secure setting. Typically, a subset of the entity's mission systems or data can be exposed to its partners via this extranet. Each of these networks has varying levels of trust ranging from the intranet where employees and contractors are considered generally trustworthy, to the extranet where a lesser degree of trust exists, to the Internet where all users are explicitly not trusted.
For the typical enterprise, access between these different networks can be controlled through trusted hosts such as firewalls and application proxies. These trusted hosts need to be correctly configured and meticulously maintained to maintain the correct security boundaries between networks. Many enterprises have had success with the trusted host model because it allows the enterprise to focus its effort on securing a small number of network connections and if necessary also provides an easy mechanism to isolate a network under attack. However, while most government and commercial enterprises moved to connect these networks in the 1990's, certain governmental networks remain largely isolated. These so-called “air gapped” networks remain so because it was determined that access to them by unauthorized users could result in loss of life or grave damage to national security. Thus, users that required access to multiple networks were given multiple workstations. To the end-user this solution had its limitations as these disconnects were seen as an impediment to them effectively performing their job functions.
Over time both the number and importance of these networks has continued to grow to support information sharing for, among other things, the war on terror and coalition war fighting. The number of users that require access to multiple networks as well as the amount of time they must spend on each has grown dramatically. As a result there is a growing demand within the government, particularly within the intelligence and defense communities, to provide access to multiple networks through a reduced number of workstations. By reducing the number of workstations many advantages are realized, such as lower total lifecycle infrastructure costs and fewer required software licenses. Additionally, there is a desire to provide increased functionality and usability through multiple windows on a workstation, each representing a lens into a different network. Furthermore, there exists a vision to provide the ability to re-grade and disseminate data between these networks without requiring onerous processes or human review. Finally, many environmental benefits can also be achieved, including hardware footprint reduction, power reduction, and reduced ambient cooling demands. Each of these is especially critical in environments where physical space is limited such as in ships, submarines, and mobile tactical environments.
To date several solutions have attempted to address the problem of reducing the number of workstations needed to securely access multiple networks, however they have all suffered from the same shortcoming of being complicated to maintain and costly to build. In the 1960's the concept of virtual machines was first introduced by IBM. A virtual machine appears to be its own operating system running its own applications, but the virtual machine does not actually communicate with the hardware directly. Instead the virtual machine communicates to virtualized hardware and it is an underlying host operating system that actually handles the communication directly to the hardware. The introduction of the virtual machine gave rise to the use of a multi-level system virtual machine monitor to isolate virtual machines by security level, first prototyped in the 1970's by System Development Corp. In this solution multiple virtual machines are isolated from each other and a special purpose operating system underneath the virtual machines arbitrates between the virtual machines and deals with accessing the hardware directly. Later variants of this model, having a somewhat more manageable kernel structure and a number of specific innovations (i.e., handling of virtual input/output devices), were built on the VAX SVS system in the 1980's.
Another approach aimed at securely accessing multiple networks from a single machine is the concept of a mandatory access control model. Trusted Solaris is an example of this implementation whereby a user of the system is able to launch programs at different classifications or levels and the data associated with the programs is labeled with the clearance level that maps to that particular classification. Thus, instead of a user having access to all data, the operating system now has the ability to separate out the pieces of data that the user can access. For example, there might be top-secret, secret, and unclassified data levels and only certain applications or certain processes can access certain data. Basically the mandatory access control model endeavors to prevent rogue applications from running disguised as a trusted user and accessing certain types of application data. This concept however also proved difficult and complicated to implement and never achieved any success in the commercial operating system arena.
More recently, the National Security Agency (NSA) launched project NetTop, generically described as a system architecture designed to provide secure access to multiple security domains from a single machine by using virtual machine technology. In the NetTop architecture multiple virtual machines each run a standard commercial operating system on top of a host operating system, but rather than the host operating system being something like a mainframe operating system like VAX, it is actually a PC operating system with some additional security changes added to support a mandatory access control model. To date the NetTop systems have been based exclusively on the VMWare virtual machine monitor and have used Security Enhanced (SE) Linux as the host operating system. While the NetTop architecture may hold promise at solving the multi-security domain access issue, NetTop still presents challenges with respect to employing a host operating system which is neither easy nor cost-effective to support.
Accordingly, there exists a need for an architecture which allows for securely accessing multiple networks from a single workstation, that is easy to maintain and administer, and one on which it is not cost prohibitive to do so. Such an architecture would optimally provide for a mandatory access control model which could be implemented on widely used commercial operating systems out-of-the-box.